b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n\n              Major Management Challenges \n\n        Facing the Department of Homeland Security \n\n\n\n\n\nOIG-09-08                                    November 2008\n\x0c                                                               Office of Inspector General\n\n                                                               U.S. Department of Homeland Security\n                                                               Washington, DC 20528\n\n\n\n\n                                       November 12, 2008\n\n\n                                       Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThe attached report presents our FY 2008 assessment of the major management challenges\nfacing the Department of Homeland Security. As required by the Reports Consolidation Act of\n2000 (Public Law 106-531), we update our assessment of management challenges annually.\n\nIt is our hope that this report will result in more effective, efficient, and economical operations.\nWe express our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                       Richard L. Skinner             \n\n                                       Inspector General          \n                   \n\n\x0c                                                               Office of Inspector General\n\n                                                               U.S. Department of Homeland Security\n                                                               Washington, DC 20528\n\n\n\n\nMajor Management Challenges Facing the Department of \n\n               Homeland Security \n\n\nThe creation of the Department of Homeland Security galvanized the Nation\xe2\x80\x99s fight against\nterrorism by consolidating and mobilizing the assets of the federal government under one\nroof with a single, focused mission: to ensure that the tragic events of Sept. 11, 2001, are\nnever repeated again on American soil.\n\nAfter just 5 short years, we are beginning to witness the positive effects of the department\xe2\x80\x99s\nefforts and initiatives: tighter security at the borders; increased immigration enforcement;\ngreater cooperation with our international partners; expanded partnerships with the private\nsector; better and more efficient passenger screening at our airports; and regenerated disaster\nresponse and recovery management. Despite these considerable accomplishments, DHS still\nhas much to do to establish a cohesive, efficient, and effective organization.\n\nThe major management challenges we have identified significantly affect the department\xe2\x80\x99s\nability to protect our homeland and are decisive factors in setting priorities for audits,\ninspections, and evaluations of DHS programs and operations. As required by the Reports\nConsolidation Act of 2000 (Public Law 106-531), we update our assessment of management\nchallenges annually.\n\nWe have identified the following major management challenges:\n      \xef\xbf\xbd Acquisition Management\n      \xef\xbf\xbd Financial Management\n      \xef\xbf\xbd Information Technology Management\n      \xef\xbf\xbd Catastrophic Disaster Response and Recovery\n      \xef\xbf\xbd Grants Management\n      \xef\xbf\xbd Infrastructure Protection\n      \xef\xbf\xbd Border Security\n      \xef\xbf\xbd Transportation Security\n      \xef\xbf\xbd Trade Operations and Security\n\nSince the major management challenges have tended to remain the same from year to year,\nwe are developing scorecards to distinguish the department\xe2\x80\x99s progress in selected areas. Our\n\n\n                                                                                                      1\n\x0cfirst scorecard, published in the Semiannual Report to Congress, October 1, 2006 \xe2\x80\x93 March\n31, 2007, included an assessment of DHS\xe2\x80\x99 acquisition function. This report features\nscorecards for acquisition management, financial management, information technology\nmanagement, and catastrophic disaster response and recovery. These four scorecards are\nsummarized in Figure 1 and incorporated in our discussion of the major management\nchallenges.\n\nFigure 1.\n\n\n       DHS\xe2\x80\x99 OVERALL PROGRESS IN\n            SELECTED AREAS\n Ratings are based on a four-tiered scale:\n Limited, Modest, Moderate, and Substantial.\n                                  Modest Progress\n Acquisition Management\n\n                                  Modest Progress\n Financial Management\n\n                                  Moderate Progress\n Information Technology\n Management\n\n                                  Moderate Progress\n Catastrophic Disaster\n Response and Recovery\n\n\n\n\n                                                                                           2\n\x0cACQUISITION MANAGEMENT\nContracting for goods and services consumes nearly 40% of the department\xe2\x80\x99s annual budget\nand is absolutely critical to achieving its mission. Acquisition management is a complex\nprocess that goes beyond simply awarding a contract. It begins with the identification of a\nmission need; continues with the development of a strategy to fulfill that need while\nbalancing cost, schedule, and performance; and concludes with contract closeout after the\nterms have been satisfactorily met. A successful acquisition process requires an effective\nacquisition management infrastructure.\n\nThe following are critical acquisition success factors:\n   \xef\xbf\xbd\t Organizational Alignment and Leadership\xe2\x80\x94ensures appropriate placement of the\n       acquisition function, defines and integrates roles and responsibilities, and maintains\n       clear, strong executive leadership;\n   \xef\xbf\xbd\t Policies and Processes\xe2\x80\x94partnering with internal organizations, effective use of\n       project management approaches, and establishment of effective internal controls;\n   \xef\xbf\xbd\t Acquisition Workforce\xe2\x80\x94commitment to human capital management, integration and\n       alignment of human capital approaches with organizational goals, and investment in\n       people; and\n   \xef\xbf\xbd\t Knowledge Management and Information Systems\xe2\x80\x94tracking of key acquisition data,\n       analysis of supplies and services spending, and data stewardship.\n\nAcquisition Management Scorecard\n\nThe following scorecard demonstrates areas where DHS has strengthened its acquisition\nmanagement practices. We based our assessment on pertinent reports, particularly recent\naudit work conducted at the Federal Emergency Management Agency (FEMA), reports\npublished by the Government Accountability Office (GAO), and congressional testimony.\nGiven the scope of our review, we did not perform an in-depth assessment of each\ncornerstone of the acquisition framework. We used the critical elements within each\xe2\x80\x94\norganizational alignment and leadership, policies and processes, acquisition workforce, and\nknowledge management and information systems\xe2\x80\x94as well as our broader knowledge of the\nacquisition function, to gauge overall progress in those cornerstones.\n\nThe ratings were based on a four-tiered scale ranging from limited to substantial progress:\n\n   \xef\xbf\xbd\t Limited: While there may be plans to address critical success factors, few if any\n      have been implemented;\n   \xef\xbf\xbd\t Modest: While some improvements have been made, many of the critical success\n      factors have not yet been achieved;\n   \xef\xbf\xbd\t Moderate: Many of the critical success factors have been achieved; and\n   \xef\xbf\xbd\t Substantial: Most or all of the critical success factors have been achieved.\n\nBased on the consolidated result of the four acquisition management capability areas, DHS\nhas made \xe2\x80\x9cmodest\xe2\x80\x9d progress overall in the area of Acquisition Management.\n\n\n\n\n                                                                                              3\n\x0c               ACQUISITION MANAGEMENT SCORECARD\n                                                                 Modest Progress\nOrganizational Alignment and Leadership\n\nDHS' executive leadership has made \xe2\x80\x9cmodest\xe2\x80\x9d progress in ensuring that the acquisition\nprogram achieves the organizational alignment needed to perform its functions. The\ndepartment continues to face challenges associated with implementing an acquisition\nfunction that is not fully integrated. According to GAO,1 the structure of DHS'\nacquisition function creates ambiguity about who is accountable for acquisition decisions.\nThe Chief Procurement Officer (CPO) has used collaboration and cooperation with the\ncomponents as the primary means of managing DHS-wide acquisition oversight.\nHowever, the CPO faces challenges in implementing the corrective actions, as they are\nonly recommendations, and the component head determines what action will be taken.2\n\nFEMA has made \xe2\x80\x9cmodest\xe2\x80\x9d progress in aligning the acquisition function to serve as a\npartner, rather than a support function, for FEMA program offices. The Office of\nAcquisition Management (OAM) has created an Acquisition Program & Planning branch,\nwhich aligns acquisition personnel with program functions and will serve as the primary\nlink between acquisitions and the program areas that generate requirements.3 A major\nchallenge is maintaining a sufficient acquisition workforce. In addition, OAM has\nexperienced turnover of the senior leadership responsible for developing and\ncommunicating a strategic vision.\n\n                                                                 Modest Progress\nPolicies and Processes\n\nDHS has made \xe2\x80\x9cmodest\xe2\x80\x9d progress in developing policies and processes to ensure that\ncomponents comply with regulations, policies, and processes to achieve department-wide\ngoals. Previously, we reported that the department had begun implementation of its\nacquisition oversight plan, which incorporates DHS policy, internal controls, and\nelements of an effective acquisition function. However, the oversight program does not\ninclude an evaluation of outcomes from contracting methods such as performance-based\nacquisitions. According to GAO4, the initial implementation of the plan has helped the\ncomponents prioritize actions to address identified weaknesses, although it is too early to\nassess the plan's overall effectiveness.\n\n\n1\n  GAO-07-948T, Department of Homeland Security Ongoing Challenges in Creating an Effective Acquisition \n\nOrganization, June 2007. \n\n2\n  GAO-07-900, Department of Homeland Security, Progress and Challenges in Implementing the Department\xe2\x80\x99s \n\nAcquisition Oversight Plan, June 2007. \n\n3\n  DHS-OIG, FEMA\xe2\x80\x99s Preparedness for the Next Catastrophic Disaster, OIG-08-34, March 2008. \n\n4\n  GAO-08-646T, Progress Made in Implementation of Management Functions, But More Work Remains, April \n\n2008. \n\n\n\n\n                                                                                                      4\n\x0c                ACQUISITION MANAGEMENT SCORECARD\nFEMA has implemented the Virtual Acquisition Office TM that provides an easily\naccessible, one-stop shop for useful acquisition guidance, and OAM has updated its\nEmergency Acquisition Field Guide. However, clear and transparent policies and\nprocesses for all acquisitions are still needed.\n                                                                   Modest Progress\nAcquisition Workforce\n\nDHS has made \xe2\x80\x9cmodest\xe2\x80\x9d progress in building and maintaining a skilled acquisition\nworkforce. Previously, we reported that personnel budget increases had allowed the\ndepartment to fill many acquisition staff positions. However, there are still workforce\nchallenges across the department. GAO reported in April 2008 that approximately 61%\nof the minimum required staff and 38% of the optimal level of contract specialists were\nin place. Components within the department such as the U.S. Coast Guard (Coast Guard)\nhave initiatives to develop and retain a workforce capable of managing complex\nacquisition programs, but they are still relying on contractors to fill key positions. DHS\nalso needs to improve the tracking of its acquisition workforce training and qualifications\nto ensure workforce development and appropriate assignment to acquisition projects.\n\nFEMA has significantly increased the number of its acquisition staff and has developed\ntraining initiatives for them. However, FEMA needs to focus on preparing the\nacquisition workforce to respond to a catastrophic disaster.\n                                                                   Modest Progress\nKnowledge Management and Information\nSystems\nDHS has made \xe2\x80\x9cmodest\xe2\x80\x9d progress in developing and deploying information systems to\ntrack and analyze acquisition data and improve user efficiency. Some progress has been\nmade in the integration of information systems. For example, according to the Coast\nGuard, it has completed the integration of three separate Coast Guard accounting systems\ninto a single Acquisition, Construction, and Improvement data set that is usable by all\nCoast Guard acquisition personnel as part of its Blueprint for Acquisition Reform.\nHowever, the department and its components still need to improve database reliability\nand verification.\n\nFEMA has made limited progress in providing staff with the tools they need to carry out\ntheir jobs. The outdated and nonintegrated information systems currently used by\nacquisition personnel were to be replaced by the PRISM contract-writing system in early\n2008. The PRISM roll-out has now been pushed back to 2009. Until PRISM is\ninstituted, acquisition personnel must use nonintegrated systems that require duplicate\n\n5\n  Statement of James L. Taylor, Deputy Inspector General, U.S. Department of Homeland Security, Before the\nSubcommittee on Management, Investigations, and Oversight, Committee on Homeland Security, U.S. House\nof Representatives, September 17, 2008; DHS-OIG, Logistics Information Systems Need to be Strengthened at\nthe Federal Emergency Management Agency, OIG-08-60, May 2008.\n\n\n\n                                                                                                             5\n\x0c                ACQUISITION MANAGEMENT SCORECARD\ninput of data, thus increasing the possibility of errors. Logistics systems are not\nintegrated with acquisition systems and do not provide complete asset visibility of\ndisaster goods.5\n\n\n\nFINANCIAL MANAGEMENT\nDHS has continued to improve financial management in FY 2008, but challenges remain. As\nin previous years, our independent auditors were unable to provide an opinion on DHS\xe2\x80\x99 FY\n2008 financial statements because the department could not provide sufficient evidence to\nsupport its financial statements or represent that financial statement balances were correct.\nThe department has continued to remediate material weaknesses and has reduced the number\nof conditions that contribute to the disclaimer of opinion.\n\nAlthough the Transportation Security Administration\xe2\x80\x99s (TSA) entity level controls\ndeteriorated in FY 2008, the department made overall improvements in entity level controls\nat the departmental and component level. These improvements resulted in a reduction in the\ntotal number of material weaknesses from seven in FY 2007 to six in FY 2008. Even though\nnew conditions were identified at FEMA and TSA, all components generally made progress\nin FY 2008.\n\nAs in FY 2007, the departmental material weaknesses in internal control were primarily\nattributable to the Coast Guard, FEMA, and TSA. The Coast Guard\xe2\x80\x99s material weaknesses,\nwhich have existed since 19946, contribute to all six of the department\xe2\x80\x99s material\nweaknesses, while FEMA contributes to four and TSA contributes to three. The Coast Guard\nalso contributes to TSA\xe2\x80\x99s financial systems security material weakness due to TSA\xe2\x80\x99s reliance\non the Coast Guard\xe2\x80\x99s financial systems. Although the other components did not have\nmaterial weaknesses, some had significant deficiencies that, when combined, contributed to\nthe departmental material weaknesses.\n\nFinancial Management Scorecard\n\nThe following scorecard presents the status of DHS\xe2\x80\x99 effort to address internal control\nweaknesses in financial reporting that were identified in FY 2007. The scorecard is divided\ninto two categories: (1) Military \xe2\x80\x93 Coast Guard and (2) Civilian \xe2\x80\x93 all other DHS components.\nThe scorecard lists the seven material weaknesses and one other significant deficiency\nidentified during the independent audit of the FY 2007 DHS consolidated balance sheet and\nstatement of custodial activity. For a complete description of the internal control weaknesses\nidentified in the FY 2007 audit, see OIG-08-12.7 To determine the status, we compared the\n\n6\n  DOT-OIG, Significant Internal Control Weaknesses Identified in Audits of FY 1994 and 1995, R3-CG-6-011,\n \n\nAugust 1996.\n\n7\n  DHS-OIG, Independent Auditors' Report on DHS' FY 2007 Financial Statements, OIG-08-12, November\n \n\n2007. \n\n\n\n\n                                                                                                          6\n\x0cmaterial weaknesses reported by the independent auditor in FY 2007 with those reported in\nFY 2008. The scorecard does not include other financial reporting control deficiencies\nidentified in FY 2008 that do not rise to the level of a significant deficiency, as defined by\nthe American Institute of Certified Public Accountants. The ratings show that the department\nmade some progress in FY 2008 toward remediation of the control weaknesses that were\nidentified in FY 2007.\n\nThe ratings were based on a four-tiered scale ranging from limited to substantial progress as\nfollows:\n\n   \xef\xbf\xbd\t Limited: While there may be plans to address internal control weaknesses, few if any\n      have been remediated;\n   \xef\xbf\xbd\t Modest: While some improvements have been made, many of the internal control\n      weaknesses have not yet been remediated;\n   \xef\xbf\xbd\t Moderate: Many of the internal control weaknesses have been remediated; and\n   \xef\xbf\xbd\t Substantial: Most or all of the internal control weaknesses have been remediated.\n\nBased on the consolidated result of the seven financial management capability areas, DHS\nhas made \xe2\x80\x9cmodest\xe2\x80\x9d progress overall in the area of Financial Management.\n\n\n                 FINANCIAL MANAGEMENT SCORECARD\nFinancial Management and Entity Level Control: Entity level controls are the\n                            foundation that ensures internal control systems are\n                            comprehensively designed to achieve the mission and execute\n                            the department\xe2\x80\x99s strategy.\n\n      Military              Modest Progress\n\n                  The Coast Guard made \xe2\x80\x9cmodest\xe2\x80\x9d progress in addressing its internal\n                  control weaknesses related to financial management and entity level\n                  controls. In FY 2007, the independent auditor\xe2\x80\x99s report (IAR) noted that\n                  several conditions related to entity level control weakness also existed in\n                  prior years. For example, the Coast Guard did not fully implement a\n                  financial management organizational structure that incorporates U.S.\n                  generally accepted accounting principles or appropriately supports its\n                  financial statement balances. As a result, the Coast Guard could not\n                  assert to the completeness, existence (validity), accuracy, valuation, or\n                  presentation of its financial data.\n\n                  Although entity level control weaknesses continued to exist at the Coast\n                  Guard in FY 2008, some progress has been made. The FY 2008 IAR\n                  noted that the Coast Guard updated its Mission Action Plans in FY 2008\n                  and created the Financial Strategy for Transformation and Audit\n                  Remediation (FSTAR). The FSTAR is a comprehensive plan to identify\n                  and correct the root causes of control deficiencies. However, most of the\n\n\n\n                                                                                                7\n\x0c           FINANCIAL MANAGEMENT SCORECARD\n           corrective actions outlined in the FSTAR were not scheduled to begin in\n           FY 2008. Consequently, most of the entity level control weaknesses\n           identified during FY 2007 continued to exist during FY 2008. The\n           conditions noted at the Coast Guard contributed to an overall significant\n           deficiency in entity level control at the department for FY 2008.\n\n\nCivilian            Moderate Progress\n           Overall, DHS has demonstrated \xe2\x80\x9cmoderate\xe2\x80\x9d progress in establishing a\n           financial management organization structure to enforce accountability\n           and institute internal controls into the department\xe2\x80\x99s culture. As a result,\n           DHS has remediated the severity of this condition from a material\n           weakness to a significant deficiency with Coast Guard, FEMA, and TSA\n           contributing to this condition. However, while FEMA was the only\n           civilian component that contributed to the material weakness in FY 2007,\n           there is now one additional component (TSA) contributing to a\n           significant deficiency in FY 2008.\n\n           The department has undertaken and completed several steps designed to\n           strengthen its entity and process level internal controls, thereby\n           improving the reliability of financial reporting. These steps are\n           documented in the DHS FY 2008 Internal Control Playbook, released in\n           March 2008, and in component level Mission Action Plans finalized in\n           FY 2008.\n\n           During FY 2007, a number of internal control weaknesses related to\n           financial management and entity level controls at FEMA rose to a\n           material weakness at the DHS consolidated financial statement level.\n           Among other conditions, the independent auditors noted that FEMA had\n           not established a financial management organization structure with clear\n           oversight and supervisory review functions that support the development\n           and implementation of effective policies, procedures, and internal\n           controls over financial reporting. Such policies, procedures, and controls\n           are needed to ensure that accounting principles are correctly applied and\n           accurate financial data is submitted to the Office of Financial\n           Management for consolidation in a timely manner.\n\n           FEMA has made \xe2\x80\x9cmodest\xe2\x80\x9d progress toward correcting its entity level\n           control deficiencies. During FY 2008, the independent auditors noted\n           that FEMA developed Mission Action Plans to eliminate account balance\n           qualifications identified in the IAR in FY 2007. However, some entity\n           level control deficiencies identified in previous years continued to exist\n           throughout FY 2008.\n\n\n\n\n                                                                                         8\n\x0c                 FINANCIAL MANAGEMENT SCORECARD\n                 During FY 2008, TSA successfully addressed some account balance\n                 discrepancies and control deficiencies that contributed to the disclaimer\n                 of opinion on DHS\xe2\x80\x99 financial statements. However, during the FY 2008\n                 audit, additional deficiencies that are indicative of weaknesses in entity\n                 level controls were identified at TSA.\nFinancial Reporting: Financial reporting is the process of presenting financial data\n                           about an agency\xe2\x80\x99s financial position, the agency\xe2\x80\x99s operating\n                           performance, and its flow of funds for an accounting period.\n                           The Federal Financial Management Improvement Act\n                           emphasizes the need for agencies to have systems that can\n                           generate timely, reliable, and useful information with which to\n                           make informed decisions to ensure ongoing accountability.\n\n     Military              Limited Progress\n\n                 The Coast Guard has demonstrated \xe2\x80\x9climited\xe2\x80\x9d progress in remediating the\n                 numerous internal control weaknesses identified by the independent\n                 auditors during FY 2007. Significant control deficiencies contributing to\n                 a material weakness in financial reporting in FY 2007 included: 1) lack\n                 of an effective general ledger system; and 2) lack of effective policies,\n                 procedures, and controls surrounding the financial reporting process.\n\n                 Although the Coast Guard developed its FSTAR during FY 2008, most\n                 of the corrective actions outlined in the document are scheduled to occur\n                 after FY 2008. Consequently, the Coast Guard was unable to make\n                 substantial progress in correcting the control weaknesses that were\n                 reported in prior years, and a material weakness still existed in FY 2008.\n\n      Civilian             Modest Progress\n\n                 During FY 2008, DHS made \xe2\x80\x9cmodest\xe2\x80\x9d progress in correcting the\n                 conditions that contributed to the material weakness in financial\n                 reporting in FY 2007. In FY 2007, conditions at the Office of Financial\n                 Management and FEMA rose to a level of material weakness, and\n                 conditions at TSA were considered a significant deficiency.\n\n                 During FY 2008, the Office of Financial Management fully corrected its\n                 material weakness over financial reporting, and FEMA made substantial\n                 progress toward correcting four material weaknesses that were reported\n                 in FY 2007. However, while FEMA has taken positive steps in FY 2008,\n                 some control weaknesses related to financial reporting continued to exist\n                 throughout FY 2008. These conditions at FEMA in the aggregate are\n                 considered a material weakness. In FY 2007, TSA adopted a two-year\n                 corrective action plan to address its financial reporting and other\n\n\n                                                                                              9\n\x0c                FINANCIAL MANAGEMENT SCORECARD\n                accounting internal control weaknesses. This resulted in TSA making\n                some progress in the development of its core accounting processes\n                throughout FY 2008. However, the independent auditors noted\n                additional and more serious financial reporting control weaknesses, some\n                of which have existed since the agency\xe2\x80\x99s inception. As a result, the\n                severity of the condition worsened in FY 2008 and TSA now has a\n                material weakness condition in financial reporting at the department\n                level.\n\nFinancial Systems Security: Financial systems security is essential to achieving\n                          effective, reliable reporting of financial and performance data.\n\n     Military             Limited Progress\n\n                The Coast Guard has made \xe2\x80\x9climited\xe2\x80\x9d progress in correcting certain\n                information technology (IT) general control weaknesses identified in\n                previous years. During FY 2007 significant control deficiencies\n                included: 1) excessive access to key Coast Guard financial applications,\n                2) application change control processes that are not adequately designed\n                nor operating effectively, 3) entity-wide security program issues\n                involving personnel background checks, 4) system software weaknesses\n                involving patch management, 5) segregation of duties involving lack of\n                policies and procedures and excessive privilege access issues, and 6)\n                service continuity issues involving the lack of disaster recovery testing .\n                Significant deficiencies in application change control processes are\n                among the principle causes of the Coast Guard\xe2\x80\x99s inability to support its\n                financial statement balances. In addition, the Coast Guard was not able\n                to effectively prioritize and implement Corrective Action Plans to\n                remediate the root cause of the IT general control weaknesses in 2007.\n                Many of these weaknesses were inherited from system development\n                activities that did not incorporate strong security controls during the\n                initial implementation of the system over five years ago, and will take\n                several years to fully address. These weaknesses exist in the\n                documentation of processes, the implementation of adequate security\n                controls over processes, and within financial systems. In FY 2008, the\n                Coast Guard remediated approximately 48% of its prior year IT general\n                controls weaknesses. Specifically, the Coast Guard has made progress in\n                remediation of issues in the areas of segregation of duties, systems\n                software, and service continuity. Although there has been an\n                improvement in the remediation effort, significant issues with the Coast\n                Guard\xe2\x80\x99s change control process continue to exist for its financial\n                applications.\n\n\n\n\n                                                                                             10\n\x0c                FINANCIAL MANAGEMENT SCORECARD\n\n     Civilian            Moderate Progress\n\n                The DHS Office of Chief Financial Officer and Office of Chief\n                Information Officer (OCIO) have demonstrated moderate progress in\n                improving their financial systems security. In FY 2007, two civilian\n                components contributed to the financial systems security material\n                weakness. Significant control deficiencies were noted in the areas of\n                access controls, application change control and service continuity. In FY\n                2008, these two components continued to contribute to this material\n                weakness although one component did make improvements in the area of\n                service continuity. Overall improvements in the Federal Information\n                System Controls Audit Manual domains for all civilian components\n                resulted in the closing of approximately 43 % of the IT general control\n                findings identified in FY 2007. One component however, continues to\n                show significant weaknesses in the areas of access controls and\n                application change controls for its financial systems. In addition, results\n                of a performance audit conducted in FY 2008 noted that the OCIO\xe2\x80\x99s Plan\n                of Action and Milestones process does not contain actionable steps to\n                remediate the issues or address the root cause of the material weakness.\n                In addition, Plans of Action and Milestones are not consistently updated,\n                and there is no correlation between the OCIO\xe2\x80\x99s Plan of Action and\n                Milestones and the Office of the Chief Financial Officer\xe2\x80\x99s OMB A-123\n                strategy.\nFund Balance with Treasury (FBwT): FBwT represents accounts held at\n                          Treasury from which an agency can make disbursements to\n                          pay for its operations. Regular reconciliation of an agency\xe2\x80\x99s\n                          FBwT records with Treasury is essential to monitoring and\n                          safeguarding these funds, improving the integrity of various\n                          U.S Government financial reports, and providing a more\n                          accurate measurement of budget resources.\n\n     Military             Limited Progress\n\n                The Coast Guard has demonstrated \xe2\x80\x9climited\xe2\x80\x9d progress in addressing the\n                material weaknesses noted in this area in FY 2007. Some of the\n                conditions noted in FY 2007 included: 1) lack of adequate supporting\n                documentation that validated the accuracy of all of the Coast Guard\n                FBwT reconciliations; 2) lack of an effective process for accounting for\n                suspense account transactions related to FBwT; 3) the Coast Guard\xe2\x80\x99s\n                inability to provide validated military and civilian payroll data to support\n                payroll transactions processed through the Coast Guard\xe2\x80\x99s FBwT account.\n\n\n\n\n                                                                                               11\n\x0c                FINANCIAL MANAGEMENT SCORECARD\n                In FY 2008, the Coast Guard developed a remediation plan (FSTAR) to\n                address the control deficiencies. However, most of the corrective actions\n                noted in the plan are scheduled to occur after FY 2008, thus, many of the\n                conditions identified in FY 2007 continued to exist throughout FY 2008.\n                These control weaknesses at the Coast Guard resulted in an overall\n                material weakness for the Department in FY 2008, as FBwT at the Coast\n                Guard represented approximately 8.3 % of total DHS FBwT at the end of\n                FY 2008.\n\n     Civilian           Substantial Progress\n\n                No control deficiencies related to FBwT were noted at the civilian\n                components in FY 2007. Corrective actions implemented in previous\n                years continued to be effective throughout FY 2007 and FY 2008.\nCapital Assets and Supplies: DHS capital assets and supplies consist of items such\n                          as property, plant and equipment, operating materials, and\n                          supplies, including boats and vessels at the Coast Guard,\n                          passenger and baggage screening equipment at TSA, and\n                          stockpiles of inventory to be used for disaster relief at FEMA.\n\n     Military             Limited Progress\n\n                The Coast Guard has demonstrated \xe2\x80\x9climited\xe2\x80\x9d progress in remediating the\n                control deficiencies related to capital assets and supplies in FY 2008.\n                The Coast Guard maintains approximately 60% of all DHS\xe2\x80\x99 property,\n                plant, and equipment (PP&E), which includes a large fleet of boat and\n                vessels. Since many of the Coast Guard\xe2\x80\x99s assets are constructed over a\n                multi-year period, have long useful lives, and undergo extensive routine\n                servicing that may increase their value or extend their useful lives,\n                comprehensive policies and procedures are necessary to accurately and\n                timely account for these assets. In FY 2007, as in prior years, the\n                independent auditors noted that the Coast Guard has been unable to\n                provide auditable documentation for certain categories of PP&E due to a\n                number of policy, control, and process deficiencies that will require\n                several years to correct. Many of these conditions still existed\n                throughout FY 2008.\n\n                In FY 2008, the Coast Guard developed corrective action plans (FSTAR)\n                to address the PP&E process and control deficiencies, and began\n                remediation efforts. However, the corrective actions included in the\n                FSTAR are scheduled to occur over a number of years. Consequently,\n                most of the material weakness conditions cited in FY 2007 remained\n                throughout FY 2008.\n\n\n\n\n                                                                                            12\n\x0c                FINANCIAL MANAGEMENT SCORECARD\n\n     Civilian             Modest Progress\n                Overall, the civilian components demonstrated \xe2\x80\x9cmodest\xe2\x80\x9d progress in\n                addressing the conditions identified in this area in FY 2007. In FY 2007,\n                three civilian components contributed to a material weakness in capital\n                assets and supplies. In FY 2007, conditions reported at FEMA rose to a\n                level of material weakness, and significant deficiency at TSA and US\xc2\xad\n                VISIT.\n\n                During FY 2008, FEMA and US-VISIT were able to fully remediate the\n                conditions leading to the material weaknesses identified in FY 2007.\n                However, FEMA was unable to assert to the validity of internal use\n                software and as a result, continues to contribute to the capital assets and\n                supplies material weakness at the departmental level.\n                Additionally in response to auditor inquires, TSA initiated various\n                reviews of its capital assets and identified errors in its accounting for\n                equipment used in airports that required a number of restatements to the\n                FY 2007 financial statement balances, and current year corrections. As a\n                result, TSA was unable to assert to the validity of capital assets and\n                supplies and contributes to the qualification of the financial statements\n                and material weaknesses at the department level.\n                Also, new control weaknesses were identified at Customs and Border\n                Protection (CBP) which were considered a significant deficiency. CBP\xe2\x80\x99s\n                internal control deficiencies in this area are primarily related to\n                construction of a fence along the border of the United States and Mexico.\n                The FY 2008 IAR noted that CBP had expensed construction cost instead\n                of capitalizing it as construction-in-progress.\nActuarial and Other Liabilities: Liabilities represent the probable and measurable\n                          future outflow or other sacrifice of resources as a result of past\n                          transactions or events. The internal control weaknesses\n                          reported in this area are related to various types of liabilities,\n                          including accounts and grants payable, and legal and actuarial,\n                          and environmental liabilities.\n\n     Military             Limited Progress\n\n                The Coast Guard maintains pension, medical, and postemployment travel\n                benefit programs that require actuarial computations to record related\n                liabilities for financial reporting purposes. Other liabilities include\n                accounts payable, environmental, and legal liabilities.\n\n                During FY 2008, the Coast Guard made \xe2\x80\x9climited\xe2\x80\x9d progress in\n\n\n\n                                                                                               13\n\x0c                 FINANCIAL MANAGEMENT SCORECARD\n                 remediating the conditions that contributed to the material weakness in\n                 this area. Control deficiencies identified by the independent auditors in\n                 FY 2007 and prior years continued to exist in FY 2008. For example, the\n                 FY 2008 IAR on DHS financial statements noted that the Coast Guard\n                 did not have effective policies, procedures, and controls to ensure the\n                 completeness and accuracy of participant, medical cost and other data\n                 provided to the actuary for the calculation of related benefit liabilities.\n\n      Civilian             Modest Progress\n\n                 Overall, the department demonstrated \xe2\x80\x9cmodest\xe2\x80\x9d progress in this area.\n                 During FY 2008, TSA fully corrected the control weaknesses that\n                 contributed to a significant deficiency in this area in the prior year.\n                 Additionally, conditions at FEMA were reduced to significant deficiency\n                 (from material weakness in FY 2007). However, new control\n                 weaknesses that rise to the level significant deficiency were identified at\n                 three additional civilian components.\n\n                 For FY 2008, the auditors noted that FEMA had not established a reliable\n                 method to estimate certain accounts payable for accrual in the financial\n                 statements until the end of the fiscal year. Additionally, for FY 2008 the\n                 Federal Law Enforcement Training Center, Immigration and Customs\n                 Enforcement (ICE), and Science and Technology components did not\n                 fully implement policies and standard operating procedures that will\n                 allow management to assert that environmental liabilities have been\n                 recorded and disclosed in the financial statements in accordance with\n                 applicable accounting standards.\n\n             In the aggregate, the significant deficiencies at the four components and\n             the material weakness at the Coast Guard amount to an overall material\n             weakness for the department.\nBudgetary Accounting: Budgetary accounts are a category of general ledger\n                         accounts where transactions related to the receipt, obligation,\n                         and disbursement of appropriations and other authorities to\n                         obligate and spend agency resources are recorded. Since the\n                         department received a disclaimer of opinion in FY 07, the\n                         audit is limited to the balance sheet and statement of\n                         custodial activity. As a result, audit coverage over budgetary\n                         accounts is limited to undelivered orders.\n\n     Military              Limited Progress\n\n\n\n\n                                                                                               14\n\x0c                 FINANCIAL MANAGEMENT SCORECARD\n                 The Coast Guard has made \xe2\x80\x9climited\xe2\x80\x9d progress in this area. Many of the\n                 internal control weaknesses that contributed to a material weakness in\n                 budgetary accounting at the Coast Guard in FY 2007 remained\n                 throughout FY 2008. For example, the FY 2007 IAR noted that the\n                 policies, procedures, and internal controls over the Coast Guard\xe2\x80\x99s process\n                 for validation and verification of some account balances are not effective\n                 to ensure that recorded amounts are complete, valid, accurate, and that\n                 proper approvals and supporting documentation is maintained. This\n                 condition also existed during FY 2008. While some issues may take a\n                 number of years to be corrected, several of the budgetary control\n                 weaknesses can be corrected by process improvements and strengthened\n                 policies and internal controls.\n\n      Civilian             Modest Progress\n\n                 DHS has demonstrated \xe2\x80\x9cmodest\xe2\x80\x9d progress in remediating internal control\n                 weaknesses that were noted in the FY 2007 IAR. During FY 2008, TSA\n                 corrected its material weakness in this area. However, DHS\xe2\x80\x99 biggest\n                 challenge in this area remains at FEMA.\n\n                 In FY 2008, FEMA implemented corrective actions and performed an\n                 extensive review of its open obligations, including disaster relief and\n                 response mission assignments with other federal agencies. As a result,\n                 FEMA was able to deobligate over $1 billion in funds prior to year-end,\n                 and make those funds available for FY 2008 disaster relief. FEMA also\n                 improved its processes and internal controls over the mission assignment\n                 obligation and monitoring process in FY 2008; however, significant\n                 control deficiencies remain. As a result, the departmental level material\n                 weakness condition remains at FEMA.\n\n                 Additionally, CBP did not enforce its policies and procedures to monitor\n                 and deobligate or closeout its obligations in a timely manner. In\n                 response to an audit inquiry, CBP initiated a review of open obligations\n                 and subsequently deobligated approximately $84 million in open\n                 obligations in FY 2008. As a result, CBP has a significant deficiency\n                 condition related to budgetary accounting and contributes to the\n                 departmental level material weakness.\n\n\nINFORMATION TECHNOLOGY MANAGEMENT\n\nCreating a unified IT infrastructure for effective integration and agency-wide management of\nIT assets and programs remains a challenge for the DHS Chief Information Officer (CIO). In\nSeptember 2008, we reported that DHS had taken steps to strengthen the CIO\xe2\x80\x99s role for\n\n\n\n                                                                                             15\n\x0ccentralized management of IT by providing greater authority and responsibility\nfor overseeing component CIOs\xe2\x80\x99 IT acquisitions.8 As a result, the DHS CIO is better\npositioned to govern the department\xe2\x80\x99s IT investments and resources. However, continued\nCIO staffing shortages and inconsistent component-level IT budget practices hinder the DHS\nCIO\xe2\x80\x99s ability to fully integrate department-wide IT programs. We recommended that the\nDHS CIO update the CIO office\xe2\x80\x99s staffing plan, ensure that components submit\ncomprehensive budgets, and develop and maintain IT strategic plans and enterprise\narchitectures aligned with DHS\xe2\x80\x99 mission.\n\nDHS also faces challenges in meeting OMB\xe2\x80\x99s requirement to transition to a new internet\nprotocol, IPv6, which supports an unlimited number of IP addresses and other enhanced\ncapabilities.9 Although DHS is in the early stages of the transition, the department is\nunlikely to be positioned to take timely advantage of the enhanced capabilities of IPv6. DHS\nmust also ensure that several key activities, such as establishing a comprehensive inventory\nof all IPv6 devices, finalizing its IPv6 transition strategy, and engaging its components in\nIPv6 transition planning and activities, are completed before it can fully transition to IPv6\nfunctionality.\n\nSecurity of IT Infrastructure\n\nDuring our FY 2007 Federal Information Security Management Act10 (FISMA) evaluation of\nthe department\xe2\x80\x99s intelligence systems, we reported that much progress had been made in\nestablishing an enterprise-wide IT security program that supports the department\xe2\x80\x99s\nintelligence operations and assets. However, procedural and operational issues remained\nregarding the implementation of the department\xe2\x80\x99s intelligence security program and system\ncontrols.11\n\nWe also reviewed Homeland Security Presidential Directive 12 (HSPD-12), Policy for a\nCommon Identification Standard for Federal Employees and Contractors. The purpose of\nHSPD-12 is to enhance security, increase government efficiency, reduce identity fraud, and\nprotect personal privacy by establishing a mandatory, government-wide standard for secure\nand reliable forms of identification issued by the federal government to its employees and\ncontractors. The department is scheduled to complete its HSPD-12 implementation in 2010,\ntwo years after OMB\xe2\x80\x99s mandated deadline for all agencies.\n\nIn September 2008, we reported that components have not implemented appropriate security\ncontrols to enforce the department\xe2\x80\x99s policies on the acceptable use of portable storage\ndevices.12 The proliferation and uncontrolled use of portable storage devices (e.g., flash\n\n\n8\n  DHS-OIG, Progress Made in Strengthening DHS Information Technology Management, But Challenges \n\nRemain, OIG-08-91, September 2008. \n\n9\n  In August 2005 OMB issued Memorandum 05-22 (M-05-22), Transition Planning for Internet Protocol \n\nVersion 6 (IPv6), establishing the goal of transitioning federal agencies\xe2\x80\x99 wide area networks to IPv6. \n\n10\n   Title III of the 2002 E-Government Act, Public Law 107-347 \n\n11\n   DHS-OIG, Challenges Remain in Executing the Department of Homeland Security\xe2\x80\x99s Information Technology \n\nProgram for Its Intelligence Systems, OIG-08-48, April 2008. \n\n12\n   DHS-OIG, Review of DHS Security Program for Portable Storage Devices, OIG-08-95, September 2008. \n\n\n\n\n                                                                                                     16\n\x0cdrives, external hard drives, and portable music players) increases the risk of theft and\nmishandling of sensitive information.\n\nDHS Component IT Management\n\nAlthough improvements have been made, DHS continues to struggle with agency-wide IT\nmanagement, planning, and investment, which has resulted in limited system integration and\ndata sharing. For example, in October 2007, we reported that due to a lack of authority and\nstandard policies to govern technology implementation, TSA\xe2\x80\x99s CIO faces significant\nchallenges in conducting agency-wide IT planning and investment management. We\nconcluded that TSA\xe2\x80\x99s IT management could be strengthened by empowering the CIO with IT\nbudget authority, developing an agency-wide strategic planning approach, implementing an\nenterprise architecture, establishing guidelines to manage IT development, and increasing\nstaff resources within the IT division.\n\nSimilarly, our April 2008 assessment of FEMA\xe2\x80\x99s efforts to upgrade its disaster logistics\nmanagement systems13 showed that, although the agency has made short-term progress in\naddressing disaster goods procurement and delivery during disasters, more remains to be\ndone to address long-term planning and systems integration needs. FEMA has taken steps to\nimprove its logistics capabilities by gathering independent evaluations to assess its existing\nsystems, identify IT systems requirements, and select technologies to meet its logistics needs.\nHowever, existing systems do not provide complete asset visibility, comprehensive asset\nmanagement, or integrated logistics information. We recommended that FEMA finalize its\nlogistics strategy and operational plans, develop standard business processes and procedures\nfor logistics activities, evaluate current technologies, and develop a strategy for acquiring IT\nsystems to support the logistics mission.\n\nPrivacy\n\nDHS still faces challenges in ensuring that privacy concerns are addressed throughout the\nlifecycle of each program and information system that contains sensitive personally\nidentifiable information. According to the E-Government Act of 2002, federal agencies must\nconduct a Privacy Impact Assessment (PIA) for each new or substantially changed IT system\nthat collects, uses, maintains, or disseminates personally identifiable information,\ndemonstrating that they have incorporated privacy safeguards throughout the development\nlifecycle of their programs or systems. Although DHS requires PIAs at the very earliest\nstage of a project or before beginning a pilot test, DHS officials did not conduct risk\nassessments in a number of IT system implementations.14\n\nIn April 2008, we reported that the Intelligence and Analysis\xe2\x80\x99 National Applications Office\n(NAO) had made progress by involving the DHS Privacy Office early in its privacy program\nplanning and development of key organizational documents. However, a revised PIA and a\n\n\n13\n   DHS-OIG, Logistics Information Systems Need to be Strengthened at the Federal Emergency Management \n\nAgency, OIG-08-60, May 2008. \n\n14\n   DHS Privacy Office, Privacy Impact Assessment Guidance, May 2007. \n\n\n\n\n                                                                                                     17\n\x0cCivil Liberties Impact Assessment reflecting changes in NAO\xe2\x80\x99s Charter and proposed\noperations were also necessary before NAO become operational.15\n\nIT Management Scorecard\n\nThe following scorecard demonstrates where IT management functions of the DHS CIO and\nthe seven largest DHS component-level CIO offices have been strengthened. This high-level\nassessment identifies progress in six IT management capability areas: IT budget oversight,\nIT strategic planning, enterprise architecture, portfolio management, capital planning and\ninvestment control, and IT security. These six elements were selected based on IT\nmanagement capabilities required by federal and DHS guidelines for enabling CIOs to\nmanage IT department-wide. The ratings were based on a four-tiered scale ranging from\nlimited to substantial progress:\n\n       \xef\xbf\xbd\t Limited: Plans are in place for this capability, but the capability has not been fully\n          implemented;\n       \xef\xbf\xbd\t Modest: The capability is partially implemented, with limited IT management\n          benefits realized;\n       \xef\xbf\xbd\t Moderate: The capability is implemented with moderate IT management benefits\n          realized; and\n       \xef\xbf\xbd\t Substantial: The capability is implemented with substantial IT management benefits\n          realized.\n\nBased on the consolidated result of the six IT management capability areas, the DHS OCIO\nhas made \xe2\x80\x9cmoderate\xe2\x80\x9d progress in the area of overall Information Technology Management.\n\n\n                             IT MANAGEMENT SCORECARD\n\nIT Budget Oversight: ensures visibility into IT spending and alignment with the\n                                  strategic IT direction.\n\n       DHS CIO                    Modest Progress\n\n                       The DHS CIO has made improvements in managing department-wide IT\n                       budgets in accordance with the Clinger-Cohen Act and the department\xe2\x80\x99s\n                       mission and policy guidance. The DHS CIO plans to conduct reviews\n                       across the department of all investments that contain IT assets and\n                       services. The goals for IT budget reviews are to resolve IT budget issues\n                       prior to OMB submission, align IT investments with targets and\n                       priorities, and eliminate redundancies. Progress in this area was further\n                       evidenced by the FY 2010 IT budget planning guidance, issued in\n                       January 2008, on better integrating component IT resource reviews with\n                       DHS program and budget reviews. With support of DHS leadership, the\n\n15\n     DHS-OIG, National Applications Office Privacy Stewardship, OIG-08-35, April 2008.\n\n\n\n                                                                                                   18\n\x0c                     IT MANAGEMENT SCORECARD\n                DHS OCIO will continue to focus on improving IT budget capabilities.\n Component\n     CIOs                 Modest Progress\n\n                Overall, components demonstrated \xe2\x80\x9cmodest\xe2\x80\x9d progress in conducting IT\n                budget planning and programming functions. Although component-level\n                IT budget responsibilities have increased through DHS Management\n                Directive 0007.1, more than 70% of DHS component CIOs remain\n                hindered by ineffective, decentralized IT budget practices. Most\n                component CIOs plan to further centralize existing IT budget functions\n                to meet requirements in the management directive to prepare a\n                component IT budget. A number of DHS components are implementing\n                initiatives to increase centralized management of IT investments by\n                restructuring and consolidating IT spending accounts that are currently\n                managed by separate offices throughout the agency.\n\nIT Strategic Planning: helps align the IT organization to support mission and\n                           business priorities.\n\n   DHS CIO               Moderate Progress\n\n                Per OMB Circular A-130, an effective IT strategic plan establishes an\n                approach to align resources and provides a basis for articulating how the\n                IT organization will develop and deliver capabilities to support mission\n                and business priorities. The DHS OCIO has made progress aligning IT\n                with department goals. Although the current IT strategic planning\n                approach does not fully link technology to mission requirements, the\n                OCIO plans to achieve strategic outcomes and stronger IT alignment\n                with the Secretary\xe2\x80\x99s goals. The OCIO is currently updating DHS\xe2\x80\x99 IT\n                strategic plan and has communicated the plan\xe2\x80\x99s goals to the CIO Council.\n Component\n     CIOs                 Modest Progress\n\n                As of January 2008, approximately 70% of the component-level CIOs\n                had developed an IT strategic plan as required by Management Directive\n                0007.1. However, not all components can consistently link strategic\n                goals and objectives with IT investments. Further, although some\n                component CIOs said that they had developed an IT strategic plan, not all\n                are up-to-date.\n\n                Improvements are planned by some component CIOs who are updating\n                their IT strategic plans. However, until the improvements are made, the\n                agency may fall short of its potential to improve business processes and\n                systems.\n\n\n\n                                                                                           19\n\x0c                          IT MANAGEMENT SCORECARD\n\nEnterprise Architecture: functions as a blueprint to guide IT investments for the\n                                   organization.\n\n      DHS CIO                 Moderate Progress\n\n                    The Clinger-Cohen Act16 requires that CIOs develop and implement an\n                    integrated IT architecture for the agency to avoid the risk that systems\n                    will be duplicative, not well integrated, and limited in optimizing mission\n                    performance. The DHS-level enterprise architecture has advanced\n                    greatly as an effective tool for reviews and IT management decision-\n                    making. Overall, the DHS OCIO has increased its ability to enforce\n                    architecture alignment through Management Directive 0007.1.\n                    Significant progress is due in part to the IT Acquisition Review process,\n                    which has helped promote and enforce such alignment. The OCIO plans\n                    to mature and optimize the department\xe2\x80\x99s architecture through\n                    performance-based outcomes and to develop the data architecture further\n                    in mission-critical areas.\n     Component\n                              Moderate Progress\n         CIOs\n                    Management Directive 0007.1 requires component CIOs to implement a\n                    detailed enterprise architecture specific to the component\xe2\x80\x99s mission and\n                    in support of DHS\xe2\x80\x99 mission. As of January 2008, more than 70% of the\n                    component-level CIOs could align IT investments with the department\xe2\x80\x99s\n                    architecture. Most components have component-level architectures used\n                    for some degree of IT investment decision-making. However,\n                    architecture products, such as reference models, definitions of current\n                    and future state architectures, and transition plans are in varying stages of\n                    development or use. A number of components said that their architecture\n                    products were out of date or needed to be better defined.\n\nPortfolio Management: improves leadership\xe2\x80\x99s ability to understand interrelationships\nbetween IT investments and department priorities and goals.\n\n      DHS CIO                 Moderate Progress\n\n                    The DHS OCIO has made \xe2\x80\x9cmoderate\xe2\x80\x9d progress in establishing the\n                    department\xe2\x80\x99s portfolio management capabilities as instructed by OMB\n                    Circular A-130.17 The DHS portfolio management program aims to\n\n16\n  Clinger-Cohen Act of 1996, Public Law 104-106, Division E, Section 5125, February 10, 1996.\n17\n  Revision of Office of Management and Budget Circular A-130, Transmittal 4, Management of Federal\nInformation Resources, July 1994.\n\n\n\n                                                                                                     20\n\x0c                 IT MANAGEMENT SCORECARD\n            group related IT investments into defined capability areas to support\n            strategic goals and missions. Portfolio management improves\n            leadership\xe2\x80\x99s visibility into relationships among IT assets and department\n            mission and goals across organizational boundaries.\n\n            The DHS OCIO has a solid plan in place to implement portfolio\n            management capabilities in FY 2008. The OCIO has recently finalized\n            plans, along with the first round of documentation and guidance, for a\n            department-level portfolio management approach. Currently, there are\n            22 defined portfolio areas, six of which are considered priority areas:\n            infrastructure, geospatial, case management, human resources, screening\n            and credentialing, and finance. In addition, OCIO has created a portfolio\n            management integrated project team to develop transition plans, measure\n            performance, and standardize the portfolio management process.\n            Although progress is being made, the department is not yet realizing\n            management benefits from the portfolio management program. As a\n            result, the department may miss opportunities for system integration and\n            cost savings.\nComponent\n    CIOs              Modest Progress\n\n            Overall, DHS components have made \xe2\x80\x9cmodest\xe2\x80\x9d progress in establishing\n            portfolio management capabilities. Full implementation of this\n            capability remains a work in progress, due in part to challenges in\n            creating and aligning component-specific portfolios with DHS\xe2\x80\x99 22\n            portfolios. Most DHS component-level CIOs have developed a mapping\n            approach to align component IT systems with DHS-level portfolios.\n\n            Many CIOs said that it is a complicated process to align their unique\n            mission and business processes with multiple DHS-level IT portfolios.\n            For example, Coast Guard officials said that they are working with DHS\n            OCIO officials to determine which portfolios will be associated with\n            each of the systems they identified in the IT budget review. Until this\n            capability is fully implemented, DHS components may continue to invest\n            in systems within organizational silos, limiting opportunities for\n            consolidation and cost savings.\n\n\n\n\n                                                                                        21\n\x0c                      IT MANAGEMENT SCORECARD\n\nCapital Planning and Investment Control: improves the allocation of resources\n                                        to benefit the strategic needs of the department.\n\n   DHS CIO                Moderate Progress\n\n                 The Clinger-Cohen Act requires that departments and agencies create a\n                 capital planning and investment control (CPIC) process to manage the\n                 risk and maximize the value of IT acquisitions. The CPIC process is\n                 intended to improve the allocation of resources to benefit the strategic\n                 needs of the department. As part of the CPIC process, agencies are\n                 required to submit business plans for IT investments to OMB\n                 demonstrating adequate planning. Through such efforts, in FY 2007, the\n                 94 DHS programs on the management watch list were reduced to 18. In\n                 FY 2008, 53 programs are listed. Officials in the OCIO have sought to\n                 remove these programs from the list by working with the program\n                 managers through the CPIC Administrator\xe2\x80\x99s bimonthly meetings.\n                                                          Modest Progress\n  Component\n      CIOs                 Modest Progress\n\n                 Most components have not yet achieved an integrated planning and\n                 investment management capability. More than 70% of the major DHS\n                 components had limited capital planning processes outside the existing\n                 OMB 300 process. However, some component CIOs said that they are\n                 creating a CPIC process to integrate with existing governance structures\n                 such as the Investment Review Board. For example, the ICE Investment\n                 Review Board resembles a CPIC group, incorporating major areas such\n                 as security, budget, and enterprise architecture. The ICE CIO said that\n                 this process has helped components leverage resources more effectively.\n\nIT Security: ensures protection that is commensurate with the harm that would result\n               from unauthorized access to information.\n\n   DHS CIO                Moderate Progress\n\n                 DHS IT security is rated at \xe2\x80\x9cmoderate,\xe2\x80\x9d for progress made during the last\n                 2 years in compliance with FISMA. OMB Circular A-130 requires\n                 agencies to provide protection that is commensurate with the risk and\n                 magnitude of the harm that would result from unauthorized access to\n                 information and systems assets or their loss, misuse, or modification.\n                 The DHS CIO has taken an active role in ensuring that components\n                 comply with FISMA. In 2007, the CIO requested that components focus\n                 on improving areas such as certification and accreditation, annual self\xc2\xad\n\n\n                                                                                            22\n\x0c                            IT MANAGEMENT SCORECARD\n                      assessments, and plan of action and milestones management. According\n                      to the DHS OCIO, additional quality control measures have been\n                      implemented manage the certification and accreditation process better.\n                      The DHS OCIO also plans to focus on improving disaster recovery and\n                      continuity of operations over the coming year.\n                      (Components were not rated on IT Security)\n\n\n\nCATASTROPHIC DISASTER RESPONSE AND RECOVERY\nThe primary mission of FEMA is to reduce the loss of life and property and protect the\nNation from all hazards, including natural disasters, acts of terrorism, and other man-made\ndisasters. FEMA does this by leading and supporting the Nation in a risk-based,\ncomprehensive emergency management system of preparedness, protection, response,\nrecovery, and mitigation.\n\nIn March 2008, we released a report on FEMA\xe2\x80\x99s progress in addressing nine key\npreparedness areas related to catastrophic disasters.18 FEMA made moderate progress in five\nof the nine areas: overall planning, coordination and support, interoperable communications,\nlogistics, and acquisition management. FEMA made modest progress in evacuation,\nhousing, and disaster workforce, and limited progress in mission assignments. (Please see\nthe catastrophic disaster response and recovery scorecard below for a discussion of selected\nareas.) Our broader recommendations addressed the improvements needed in overall\nplanning, coordination, and communications. FEMA officials said that budget shortfalls,\nreorganizations, inadequate IT systems, and confusing or limited authorities impeded their\nprogress.\n\nIn FY 2009, we will continue to conduct studies regarding FEMA\xe2\x80\x99s preparedness, response,\nand recovery efforts. These studies will allow us to further assess FEMA\xe2\x80\x99s progress in\ntransforming itself to be better prepared to lead the federal effort in responding to a\ncatastrophic disaster.\n\nCatastrophic Disaster Response and Recovery Scorecard\n\nThe following scorecard highlights FEMA\xe2\x80\x99s progress in six key areas: logistics, evacuations,\nhousing, disaster workforce, mission assignments, and acquisition management. The ratings\nwere based on a four-tiered scale ranging from limited to substantial progress:\n\n       \xef\xbf\xbd\t Limited: There is an awareness of the critical issues needing to be addressed, but\n          specific corrective actions have not been identified;\n       \xef\xbf\xbd\t Modest: corrective actions have been identified, but implementation is not yet \n\n          underway;\n\n\n18\n     DHS-OIG, FEMA\xe2\x80\x99s Preparedness for the Next Catastrophic Disaster, OIG-08-34, March 2008.\n\n\n\n                                                                                               23\n\x0c     \xef\xbf\xbd\t Moderate: Implementation of corrective action is underway, but few if any have\n        been completed; and\n     \xef\xbf\xbd\t Substantial: Most or all of the corrective actions have been implemented.\n\nBased on the consolidated result of the six areas, FEMA has made \xe2\x80\x9cmoderate\xe2\x80\x9d progress in the\narea of catastrophic disaster response and recovery.\n\n\nFEMA CATASTROPHIC DISASTER RESPONSE AND RECOVERY\n                   SCORECARD\n                                                                 Moderate Progress\nLogistics\n\n The mission of FEMA\xe2\x80\x99s Logistics Management Directorate is to plan, manage, and\nsustain the national logistics response and recovery operations in support of domestic\nemergencies. FEMA has made \xe2\x80\x9cmoderate\xe2\x80\x9d progress in meeting its logistics\nresponsibilities such as acquiring, receiving, storing, shipping, tracking, sustaining, and\nrecovering commodities, assets, and property in the event of a catastrophic disaster.\n\nThe Post-Katrina Emergency Management Reform Act of 2006 (Post-Katrina Act) 19\nrequires FEMA to develop a logistics system that provides visibility of disaster goods\nfrom procurement to delivery. FEMA has not yet met this requirement. FEMA\xe2\x80\x99s total\nasset visibility system is unable to track goods from warehouses to staging areas to\ndistribution sites. Nor can it track goods received from federal and nonfederal partners.\nFEMA needs to finalize its logistics plans, implement standardized processes and\nprocedures for logistics activities, and develop a strategy for acquiring IT systems to\nsupport the logistics mission.20\n\nDetermining the types and quantities of commodities that FEMA may need in the\naftermath of a disaster is a continuing challenge. In 2005, FEMA was criticized for\nhaving too few commodities available in the aftermath of Hurricane Katrina. In 2006,\nFEMA acquired inventory that was not needed during the mild hurricane season,\nresulting in waste. In-depth analysis of this issue resulted in FEMA\xe2\x80\x99s determination that\npre-positioning commodities is neither logistically prudent nor an effective use of\ntaxpayer funds. Instead, FEMA plans to rely on public and private sector partners to\nprovide needed items. FEMA appears to have made progress in developing these\npartnerships, as well as working more closely with states to determine where state\nshortfalls are likely to occur.\n\nA Distribution Management Strategy Working Group is developing and documenting an\nintegrated national policy and strategy for managing and controlling inventory,\n19\n   Public Law 109-295, Title VI \xe2\x80\x93 National Emergency Management, Department of Homeland Security \n\nAppropriations Act of 2007.\n \n\n20\n   DHS-OIG, Logistics Information Systems Need to Be Strengthened at the Federal Emergency \n\nManagement Agency, OIG-08-60, May 2008. \n\n\n\n\n                                                                                                     24\n\x0cFEMA CATASTROPHIC DISASTER RESPONSE AND RECOVERY\n                   SCORECARD\npositioning commodities, and distributing critical resources. In the past, FEMA has been\nprone to drafting strategies, policies, and procedures that were never finalized. FEMA\nleadership should ensure that this Working Group proposes strategies and policies in a\ntimely manner and that these proposals are promptly reviewed, finalized, and\nimplemented.\n                                                             Modest Progress\nEvacuations\n\nThe conduct of evacuation operations is generally a state, tribal, and local responsibility.\nHowever, some circumstances exceed the capabilities of those jurisdictions to support\nmass evacuations. Where federal support is required, FEMA coordinates the support\nwith the affected state, local and tribal governments. Federal support is scaled to the\nincident level and may be provided in the form of cost reimbursement or direct\nassistance, for example, providing buses, trains, and air ambulances for evacuation.\n\nFEMA has a number of initiatives underway for improving evacuation management\ncapabilities and published a Mass Evacuation Incident Annex describing evacuation\nfunctions and agency roles and responsibilities in mass evacuations. However, no single\nentity within FEMA is responsible for emergency evacuation planning or operations.\nFEMA has not yet developed a single national system to support multistate, state-\nmanaged, or local evacuation operations. Coordinating transportation for evacuees\nduring emergencies, collaborating with states to receive and accommodate the needs of\nevacuees, and ensuring that dedicated resources are available to support evacuation plans,\nremain significant challenges.\n                                                             Modest Progress\nHousing\n\n Although improvements have been made, disaster housing remains a major challenge, as\ndemonstrated by the results of our recent audits of FEMA housing programs and\ninitiatives. Issues with accountability, management, and disposal of emergency housing\nunits persist. Plans for addressing catastrophic disaster housing needs must be developed\nand tested. As we have learned from past and recent disasters, not being prepared with a\nfull range of housing options has significant implications for evacuees and the states and\ncommunities that host them.\n\nIn March 2008, we reported that FEMA had made modest progress in the key\npreparedness area of housing. While FEMA is striving to improve its disaster housing\nassistance strategy and coordination, it needs to develop and test innovative catastrophic\ndisaster housing plans to deal with large-scale displacement of citizens for extended\nperiods, where traditional housing programs have been shown to be inefficient,\nineffective, and costly.\n\n\n                                                                                               25\n\x0cFEMA CATASTROPHIC DISASTER RESPONSE AND RECOVERY\n                   SCORECARD\n\nIn October 2008, we reported that FEMA\xe2\x80\x99s strategy for ending its direct housing\nassistance program is generally sound, and that FEMA has made considerable progress\nrecovering temporary housing units in the Gulf Coast region.21 However, FEMA\xe2\x80\x99s\nstrategy is not complete since FEMA\xe2\x80\x99s strategy has not recertified resident eligibility or\ntaken action to recover temporary housing units from ineligible residents. FEMA must\nimplement the recertification of eligibility process to ensure recovery of all temporary\nhousing units by March 1, 2009, which is the ending date of FEMA\xe2\x80\x99s direct housing\nassistance program for hurricanes Katrina and Rita.\n\nThe Post-Katrina Act requires FEMA to develop, coordinate, and maintain a National\nDisaster Housing Strategy (NDHS). FEMA released the draft NDHS for a 60-day public\ncomment period in July 2008. We are currently conducting a review of FEMA\xe2\x80\x99s future\nhousing strategies and are reviewing the NDHS as part of this effort. FEMA must move\nforward with a finalized strategy to guide future disaster housing efforts.\n                                                                Modest Progress\nDisaster Workforce\n\nA trained, effective disaster workforce is one of the most effective tools FEMA has to\nmeet its mission. FEMA\xe2\x80\x99s disaster workforce consists mainly of reservists who serve\ntemporarily during a disaster, with no employee benefits. During the 2005 Gulf Coast\nhurricanes, FEMA struggled to provide qualified staff and did not have the automated\nsupport to deploy more than 5,000 disaster personnel on short notice. As FEMA evolves,\nits disaster workforce strategy, structure, and systems need to keep pace.\n\nTo date, FEMA has not completed or has not been able to verify the completion of five of\nnine workforce-related actions required by the Post-Katrina Act. The five incomplete or\nunconfirmed actions are:\n   \xef\xbf\xbd Developing a Strategic Human Capital Plan;\n   \xef\xbf\xbd Establishing career paths;\n   \xef\xbf\xbd Conferring with state, local, and tribal government officials when selecting\n       regional administrators;\n   \xef\xbf\xbd Training regional strike teams as a unit and equipping and staffing these teams;\n       and\n   \xef\xbf\xbd Implementing a surge force capacity plan.\nThe congressionally mandated due dates for these actions range from March 2007\nthrough July 2007.\n\n\n\n21\n  DHS-OIG, FEMA\xe2\x80\x99s Exit Strategy for Temporary Housing in the Gulf Coast Region, OIG-09-02, October\n2008.\n\n\n\n                                                                                                     26\n\x0cFEMA CATASTROPHIC DISASTER RESPONSE AND RECOVERY\n                   SCORECARD\n                                                            Limited Progress\nMission Assignments\n\nFEMA is responsible for coordinating the urgent, short-term emergency deployment of\nfederal resources to address immediate threats and for stewardship of the associated\nexpenditures from the Disaster Relief Fund. FEMA uses mission assignments to request\ndisaster response support from other federal agencies. Past audits and reviews regarding\nmission assignments have concluded that FEMA\xe2\x80\x99s management controls were generally\nnot adequate to ensure that:\n    \xef\xbf\xbd Deliverables (missions tasked) met requirements;\n    \xef\xbf\xbd Costs were reasonable;\n    \xef\xbf\xbd Invoices were accurate;\n    \xef\xbf\xbd Federal property and equipment were adequately accounted for or managed; and\n    \xef\xbf\xbd FEMA\xe2\x80\x99s interests were protected.\n\nFEMA guidelines regarding the mission assignment process, from issuance of an\nassignment through execution and closeout, have never been fully developed, creating\nmisunderstandings among federal agencies concerning mission assignment operational\nand fiduciary responsibilities. Implementing Section 693 of the Post-Katrina Act, which\nallows FEMA to designate up to 1% of the funds provided to federal agencies for disaster\nrelief activities as oversight funds, will help ensure effective stewardship and oversight of\nmonies the recipient agencies use for activities conducted under the FEMA reimbursable\nmission assignment process.\n                                                            Moderate Progress\nAcquisition Management (Catastrophic\nDisasters)\nAfter a disaster, FEMA\xe2\x80\x99s tendency has been to acquire goods and services quickly, but\nwith insufficient attention to costs, definition of requirements, and competition. To\nbalance urgency of needs with good business practices, FEMA\xe2\x80\x99s OAM has awarded\napproximately 27 pre-disaster response contracts and 70 recovery contracts. Planning and\nnegotiating these contracts in advance of a disaster provides more advantageous terms to\nthe government and more opportunity for small and local businesses.\n\nFEMA has found it difficult to recruit experienced acquisition staff. FEMA has increased\nits acquisition staff from just 35 when Hurricane Katrina struck to about 150 today.\nFEMA has also increased staffing and training of contracting officer\xe2\x80\x99s technical\nrepresentatives (COTRs), who are responsible for technical contract oversight, inspecting\ngoods, and approving invoices. However, staffing remains a challenge. The new\nacquisition personnel need training and experience in acquiring goods and services under\nemergency circumstances. Recent OIG reports recommended increased oversight of\ncontractor actions and reviews of services and invoices by COTRs.\n\n\n                                                                                                27\n\x0cFEMA CATASTROPHIC DISASTER RESPONSE AND RECOVERY\n                   SCORECARD\n\nFEMA needs to continue hiring and training acquisition personnel, allocating staff where\nthe need is greatest among Headquarters and the 10 FEMA regional offices, and\ndeveloping reliable, integrated financial and information systems.\n\n\nGRANTS MANAGEMENT\nMonitoring and documenting the effectiveness of DHS\xe2\x80\x99 multitude of grant programs poses an\nincreasingly significant challenge for the department. DHS manages more than 80 disaster\nand non-disaster grant programs. This challenge is compounded by other federal agencies\xe2\x80\x99\ngrant programs that assist state and local governments in improving their abilities to prepare\nfor, respond to, and recover from acts of terrorism or natural disasters. FEMA has yet to\nfully implement the April 2007 reorganization directed by the Post Katrina Emergency\nManagement Reform Act of 2006. Most states are not sufficiently monitoring subgrantee\ncompliance with grant terms and cannot clearly document critical improvements in\npreparedness as a result of grant awards.\n\nDuring FY 2008, we issued audit reports on homeland security preparedness grant\nmanagement by the states of New Jersey, Ohio, Michigan, Georgia, Florida, Utah, Arizona,\nand Washington. These states generally did an adequate job of administering the program\nrequirements; however, the most prevalent areas needing improvement concerned the\nmonitoring of subgrantees and controls over personal property and equipment.\n\nWe are concluding audits of the effectiveness of grant awards under the State Homeland\nSecurity Grant Program in California and Illinois. During the first quarter of FY 2009, we\nalso anticipate issuing an audit mandated by the Implementing Recommendations of the 9/11\nCommission Act of 2007 (Public Law 110-53) on FEMA\xe2\x80\x99s grant management and oversight\npractices.\n\nGiven the billions of dollars appropriated annually for preparedness, disaster, and non-\ndisaster grant programs, DHS needs to ensure that internal controls are in place and adhered\nto, and that grant recipients are sufficiently monitored to achieve successful outcomes. DHS\nshould continue refining its risk-based approach to awarding preparedness grants to ensure\nthat areas and assets that represent the greatest vulnerability to the public are as secure as\npossible. Sound risk management principles and methodologies will help DHS prepare for,\nrespond to, recover from, and mitigate acts of terrorism and natural disasters.\n\n\nINFRASTRUCTURE PROTECTION\nDHS has direct responsibility for leading, integrating, and coordinating efforts to protect 10 \n\ncritical infrastructure and key resources (CI/KR) sectors: the chemical industry; commercial \n\n\n\n                                                                                             28\n\x0cfacilities; dams; emergency services; commercial nuclear reactors, materials, and waste;\ninformation technology; telecommunications; postal and shipping; transportation systems;\nand government facilities. In addition, DHS has an oversight role in coordinating the\nprotection of seven sectors for which other federal agencies have primary responsibility.22\nThe requirement to rely on federal partners and the private sector to deter threats, mitigate\nvulnerabilities, or minimize incident consequences complicates protection efforts for all\nCI/KR. Combined with the uncertainty of the terrorist threat and other manmade or natural\ndisasters, the implementation of protection efforts is a great challenge.\n\nIn FY 2007, we reported several opportunities for DHS to improve its engagement of public\nand private partners and to prioritize resources and activities based on risk.23 For example, a\ncomprehensive national database that inventories assets is essential to provide a\ncomprehensive picture of the Nation\xe2\x80\x99s CI/KR and to enable management and resource\nallocation decision-making. We are reviewing how DHS uses an asset database to support its\nrisk management framework. We also plan to evaluate how DHS coordinates infrastructure\nprotection with other sectors by reviewing the protection of petroleum and natural gas\ninfrastructure within the energy sector.\n\nProtecting national as well as internal cyber infrastructure continues to be a challenge for\nDHS. We recently reviewed the department\xe2\x80\x99s progress in identifying and prioritizing its\ninternal cyber critical infrastructure in accordance with Homeland Security Presidential\nDirective 7.24 This directive established a national policy for the federal government to\nidentify, prioritize, and protect U.S. critical infrastructure, including the internal critical\nassets used by each department. We found that the department needs to take additional steps\nto produce a prioritized inventory and to coordinate related efforts to secure these assets. We\nrecommend that the department assign responsibility and provide the resources necessary to\ndetermine protection priorities for its internal critical infrastructure, including critical cyber\ninfrastructure. In addition, the department should develop a process to coordinate internal\nefforts to protect these assets. In FY 2009, we plan to review the National Cyber Security\nDivision\xe2\x80\x99s strategy for control systems security and its Computer Emergency Readiness\nTeam.\n\n\nBORDER SECURITY\nA principal DHS challenge is reducing America\xe2\x80\x99s vulnerability to terrorism by controlling\nthe borders of the United States. To this end, DHS is implementing the Secure Border\nInitiative (SBI), a comprehensive multi-year program to secure the borders and reduce illegal\nimmigration. The Coast Guard, U.S. Citizenship and Immigration Services, CBP, and ICE\n\n22\n   The seven sectors for which DHS has an oversight role are agriculture and food; the defense industrial base; \n\nenergy; public health and healthcare; national monuments and icons; banking and finance; and water and water \n\ntreatment systems. \n\n23\n   DHS OIG, A Review of Homeland Security Activities Along a Segment of the Michigan-Canadian Border,\n \n\nOIG-07-68, August 2007; Review of the Buffer Zone Protection Program, OIG-07-59, July 2007; The\n \n\nDepartment of Homeland Security\xe2\x80\x99s Role in Food Defense and Critical Infrastructure Protection, OIG-07-33,\n \n\nFebruary 2007. \n\n24\n   DHS OIG, Letter Report: DHS Needs to Prioritize Its Cyber Assets, OIG-08-31, March 2008. \n\n\n\n\n                                                                                                              29\n\x0call have key roles in the SBI program. To ensure SBI success, it is critical that the program\nbe thoroughly planned. DHS also must institute an approach to coordinating the SBI\nfunctions and activities of the participating DHS components with the related efforts of other\nagencies. We are conducting a series of audits to evaluate whether the SBI program\ninitiatives are being accomplished in an economical, efficient, and effective manner.\n\nThe technology component of SBI, known as SBInet, involves the acquisition, development,\nintegration, and deployment of surveillance systems. It also involves communications and\nintelligence technologies. In FY 2006, we recommended that CBP improve the effectiveness\nof remote surveillance technology to correct the lack of integration between border\nsurveillance cameras and ground sensors, which were plagued by false alarms.25 CBP has\nmade some progress in improving surveillance and detection technology along the Southwest\nborder via Project 28, which includes enhanced radars, sensors, and cameras. However,\ndelays associated with software integration problems have required CBP to extend the\ncompletion dates for implementation from December 2008 to sometime in 2009.\nConsequently, Border Patrol Agents continue to use technology that predates SBInet and, in\nthe Tucson, Arizona sector, they are still using capabilities from SBInet\xe2\x80\x99s prototype system\ndespite previously reported performance shortfalls.26\n\nThe definition and management of requirements is another significant challenge for the\nSBInet program. According to GAO,27 the SBInet program office issued guidance on the\ndevelopment and acquisition of software and systems that is consistent with recognized\nleading practices. However, this guidance was not finalized until February 2008, and thus\nwas not used in performing a number of important requirements-related activities. For\nexample, there is a lack of traceability among the different levels of requirements. This\nlimits the program office\xe2\x80\x99s ability to determine whether the scope of the contractor\xe2\x80\x99s design,\ndevelopment, and testing efforts will produce a system that meets operational needs and\nperforms as intended.\n\nAlso, efforts are needed to ensure that ICE can support its detention and removal operations.\nIn our recent reviews of ICE\xe2\x80\x99s oversight of immigration detention facilities, we recommended\nthat ICE improve its standards, strengthen its oversight of facilities, and enhance operations.28\nWe are completing an audit of ICE\xe2\x80\x99s acquisition and management of \xe2\x80\x9cbed space\xe2\x80\x9d needs to\nsupport detention and removal operations.\n\n\n\n\n25\n   DHS-OIG, A Review of Remote Surveillance Technology along U.S. Land Borders, OIG-06-15,\n \n\nDecember 2005.\n \n\n26\n   GAO-08-1141T, SBI Observations on Deployment Challenges, September 2008. \n\n27\n   GAO-08-1086, Secure Border Initiative: DHS Needs to Address Significant Risks in Delivering Key \n\nTechnology Investment, September 2008. \n\n28\n   DHS-OIG, ICE Policies Related to Detainee Deaths and the Oversight of Immigration Detention Facilities,\n \n\nOIG-08-52, June 2008; DHS-OIG, ICE\xe2\x80\x99s Compliance with Detention Limits for Aliens with Final Order for \n\nRemoval from the U.S., OIG-07-28, February 2007; DHS-OIG, U.S. Immigration and Customs Enforcement\xe2\x80\x99s \n\nDetainee Tracking Process, OIG-07-08, November 2006; DHS-OIG, Treatment of Immigration Detainees \n\nHoused at Immigration and Customs Enforcement Facilities, OIG-07-01, December 2006; Detention and \n\nRemoval of Illegal Aliens, OIG-06-33, April 2006. \n\n\n\n\n                                                                                                          30\n\x0cTRANSPORTATION SECURITY\nThe Nation\xe2\x80\x99s transportation system, which moves millions of passengers and tons of freight\nevery day, is an attractive terrorist target and creates an enormous security challenge due to\nits size and complexity. TSA was originally created as a part of the Department of\nTransportation after September 11, 2001, to strengthen the security of the Nation\xe2\x80\x99s\ntransportation systems, including aircraft, ships, rail, motor vehicles, airports, seaports,\ntransshipment facilities, roads, railways, bridges, and pipelines. However, since its inception,\nTSA has focused on aviation.\n\nCheckpoint and Checked Baggage Performance\n\nThe Aviation and Transportation Security Act29 requires TSA to screen or inspect all\npassengers, goods, and property before entry into the sterile areas of an airport. Our\nundercover audits of screener performance revealed that improvements are needed in the\nscreening process to ensure that dangerous prohibited items are not carried into the sterile\nareas of heavily used airports and do not enter the checked baggage system. In past testing,\nwe noted four areas that caused most of the test failures: training; equipment and technology;\npolicies and procedures; and management and supervision. TSA agreed with our conclusion\nthat significant improvements in screener performance will be possible only with the\nintroduction of new technology. TSA plans to purchase 300 advanced technology x-rays and\n80 passenger imagers. Currently TSA has 700 advanced x-rays and 40 passenger-imaging\nunits deployed at 12 airports. We recently released a classified report on our penetration\ntesting results, specifically at those airports with explosives trace portals and an airport that\nhad a whole body imager, and found that improvements to effectively secure sterile airport\nareas are still needed.30\n\nThe OIG will continue to exercise oversight of TSA\xe2\x80\x99s performance and processes of\ncheckpoint and checked baggage screening. We are currently in the process of conducting\naudits of TSA\xe2\x80\x99s controls over screener uniforms, badges, and identification cards, as well as\nthe effectiveness of TSA\xe2\x80\x99s explosives detection systems on-screen alarm resolution protocol.\nThese reports will be issued later this year.\n\nEmployee Workplace Issues\n\nA stable, mature, and experienced TSA workforce is one of the most effective tools to meet\nthe agency\xe2\x80\x99s mission. Despite the value of the TSA workforce, employees have expressed\ntheir concerns about how the agency operates by historically filing formal complaints at rates\nhigher than other federal agencies of comparable size. Our audit of TSA\xe2\x80\x99s efforts to address\nemployee concerns found that low employee morale continues to be an issue at some airports\nand has contributed to TSA\xe2\x80\x99s 17% voluntary attrition rate.31\n\n\n29\n   Public Law 107-71, November 19, 2001. \n\n30\n   DHS-OIG, Airport Passenger and Checked Baggage Performance, OIG-08-25, February 2008. \n\n31\n   DHS-OIG, TSA\xe2\x80\x99s Efforts to Proactively Address Employee Concerns, OIG-08-62, May 2008. \n\n\n\n\n                                                                                              31\n\x0cMore than half the employees we interviewed described the agency\xe2\x80\x99s efforts to educate them\non the various initiatives available to address their workplace concerns as \xe2\x80\x9cinadequate.\xe2\x80\x9d We\nmade six recommendations to the Assistant Secretary of TSA to provide employees with\nsufficient tools, including clear guidance and better communication, on the structures,\nauthorities, and oversight responsibilities of the initiatives we reviewed. TSA fully or partly\nconcurred with five of the recommendations and has taken action to resolve them.\n\nPassenger Air Cargo Security\n\nThe vast and multifaceted U.S. air cargo system transports approximately 7,500 tons of cargo\non passenger planes each day, making air cargo vulnerable to terrorist threats. Federal\nregulations (49 CFR) require that, with limited exceptions, passenger aircraft may only\ntransport cargo originating from a shipper that is verifiably \xe2\x80\x9cknown\xe2\x80\x9d either to the aircraft\noperator or to the indirect air carrier that has tendered the cargo to the aircraft operator. We\nare conducting an audit to assess how TSA ensures that cargo from unknown shippers is not\nbeing shipped on passenger planes. This report is expected to be issued later this year.\nDuring 2009, we also plan to audit TSA\xe2\x80\x99s cargo security measures during ground movement.\n\nRail and Mass Transit\nSince the terrorist attacks of September 11, 2001, the London subway bombings, and the\nMadrid rail bombings, DHS has taken steps to manage risk and strengthen our Nation\xe2\x80\x99s rail\nand transit systems. While most mass transit systems in this country are owned and operated\nby state and local government or private industry, securing these systems is a shared\nresponsibility among federal, state, and local partners.\nDHS operates multiple programs, including several grants, to improve rail and mass transit\nsecurity. In June 2008, we reported on TSA\xe2\x80\x99s efforts to secure mass transit through four\nmajor assistance programs: the Surface Transportation Security Inspection Program, Transit\nSecurity Grant Program, Visible Intermodal Prevention and Response program, and the\ndeployment of canine explosive detection teams for rail.32 TSA needs to clarify its transit rail\nmission, improve interoffice communication and coordination, develop memorandums of\nunderstanding with local transit authorities, and develop additional regulations. TSA also\nneeds to understand and address system-specific security requirements better. We are\ncompleting mandates to review the effectiveness of the Trucking Industry Security Grant\nProgram and to report further on the Surface Transportation Security Inspection Program.\n\nDuring emergencies transit agencies must rely on well-designed and regularly practiced drills\nand exercises to respond and recover rapidly and effectively. Recent events on the rail\nsystems in Washington DC, including a derailment and a fire, have raised questions\nregarding the mass transit agencies\xe2\x80\x99 contingency plans and the ability to handle these basic\nissues, as well as major emergencies. We will evaluate TSA\xe2\x80\x99s efforts to ensure that mass\ntransit agencies are prepared to respond and recover from emergencies on passenger rail\nsystems. We will review TSA\xe2\x80\x99s role in security program management and accountability,\n\n32\n  DHS-OIG, TSA\xe2\x80\x99s Administration and Coordination of Mass Transit Security Programs, OIG-08-66, June\n2008.\n\n\n\n                                                                                                      32\n\x0csecurity and emergency response training, drills and exercises, public awareness, and other\nprotective measures for passenger rail systems.\n\n\nTRADE OPERATIONS AND SECURITY\n\nCBP is primarily responsible for trade operations and security, with the support of the Coast\nGuard and ICE. Each year, more than 16 million containers arrive in the United States by\nship, truck, and rail. CBP typically processes more than 70,000 truck, rail, and sea containers\nper day, along with the personnel associated with moving this cargo across U.S. borders or to\nU.S. seaports. Modernizing trade systems, using resources efficiently, and managing and\nforging partnerships with foreign trade and customs organizations pose significant challenges\nfor CBP and DHS.\nCBP works with trade representatives to implement processes and systems to help secure the\nsupply chain and uses targeting systems to identify the highest risk cargo on which to focus\nits limited resources. Recently, CBP increased its international efforts to secure the cargo\nsupply chain by expanding its work with the Customs-Trade Partnership against Terrorism\nprogram and by improving its multi-layered security strategy.\n\nThe Coast Guard and Maritime Transportation Act of 2004 (Public Law 108-293) requires\nus to evaluate and report annually on the effectiveness of the Automated Targeting System\n(ATS), which is an intranet-based enforcement and decision support tool used by CBP\nseaport inspectors to help determine which containers entering the country will undergo\ninspection. Our annual ATS review in 200833 focused on a subsystem of ATS, the Cargo\nEnforcement Reporting and Tracking System (CERTS), which is designed to gather data on\ncargo examination findings and report on how efficiently examination equipment is being\nused. We identified the need for improvements in planning, updating, developing, and\nimplementing CERTS. Specifically, CBP needs to update the project plan to include the\nscope of work, and a detailed implementation schedule for system design, developing and\ntesting, and cost estimates past phase one. In addition, CBP bypassed key life cycle reviews\ndesigned to ensure that end users have a properly working system and have received\nmanagement\xe2\x80\x99s approval to continue the project.\n\nThe Coast Guard is responsible for developing and implementing a comprehensive National\nMaritime Transportation Security Plan to deter and respond to transportation security\nincidents. Our most recent annual review of mission performance34 revealed that the Coast\nGuard must make several improvements to implement the Maritime Transportation Security\nAct of 2002 (Public Law 107-295) in a timely and effective manner. For example, the Coast\nGuard needs to balance the resources devoted to the performance of homeland and non-\nhomeland security missions; improve the performance of its homeland security missions;\nmaintain and re-capitalize its Deepwater fleet of aircraft, cutters, and small boats; restore the\n\n\n33\n   DHS-OIG, Targeting of Cargo Containers 2008: Review of CBP\xe2\x80\x99s Cargo Enforcement Reporting and\nTracking System, OIG-08-65, June 2008.\n34\n   DHS-OIG, Annual Review of Mission Performance \xe2\x80\x93 FY2006, OIG-08-30, February 2008.\n\n\n\n                                                                                                  33\n\x0creadiness of small boat stations to perform their search and rescue missions; and increase the\nnumber and quality of resource hours devoted to non-homeland security missions.\n\nWe are reviewing CBP\xe2\x80\x99s Account Management Program and National Targeting and\nAnalysis Groups, which aim to improve revenue collection compliance. We are also\nreviewing DHS\xe2\x80\x99 planning, management oversight, and implementation of security measures\nto protect against small vessel threats.\n\n\n\n\n                                                                                            34\n\x0cAppendix A\nReport Distribution\n\n\n      Department of Homeland Security\n\n      Secretary\n      Deputy Secretary\n      Executive Secretary\n      Chief of Staff\n      Deputy Chief of Staff\n      General Counsel\n      Under Secretary Management\n      Assistant Secretary for Public Affairs\n      Assistant Secretary for Policy\n      Assistant Secretary for Legislative Affairs\n      Chief Financial Officer\n      Chief Information Officer\n      Chief Security Officer\n      Chief Privacy Officer\n\n      Office of Management and Budget\n\n      Chief, Homeland Security Branch\n      DHS OIG Program Examiner\n\n      Congress\n\n      Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                                                                              35\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"